FIPS Page

This section provides information on using ClearPass Policy Manager in Federal Information Processing Standards (FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies.) 140-2 approved mode. The U. S. Government developed FIPS 140-2 to define procedures, architectures, cryptographic algorithms, and other security techniques for use in government applications and networks that use cryptography. When running in FIPS Approved mode, ClearPass Policy Manager utilizes a FIPS 140‑2 validated cryptographic module. Support is not available for non-approved authentication methods such as EAP-MD5 EAP – Method Digest 5. (non-tunneled). and MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. digest algorithms.

For details on the Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules, see:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2577

Enabling FIPS Mode Using CLI

1. You can enable FIPS mode in Policy Manager during installation using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. or post-installation using the Web UI User Interface..

The following figure displays the prompt to enable FIPS mode using the CLI:

Figure 1  Enabling FIPS Mode

2. After enabling FIPS mode using the CLI commands, you can verify whether FIPS mode is enabled or not in the Configuration Summary page.

Figure 2  FIPS Mode > Configuration Summary

Enabling FIPS Mode in the Policy Manager User Interface

Alternatively, you can enable or disable the FIPS mode in the Policy Manager user interface:

1. Navigate to Administration > Server Manager > Server Configuration, then select the server of interest. The Server Configuration dialog for the selected server opens.

2. Select the FIPS tab, then click Enable. On enabling FIPS mode, the WebUI displays the text [FIPS] in the version footer at the bottom of the page.

Figure 3  Server Configuration > FIPS Tab

Important Points to Remember

Note the following important points, when you enable FIPS mode in the ClearPass Policy Manager user interface:

The database is reset when you enable the FIPS mode in ClearPass Policy Manager.

 

Ensure that you backed up your database before enabling FIPS mode.

Configuration backup file from the ClearPass Policy Manager in non-FIPS mode cannot be restored on ClearPass Policy Manager in FIPS mode. However, configuration backup file from the ClearPass Policy Manager in FIPS mode can be restored on the ClearPass Policy Manager in non-FIPS mode.

The server will be removed from the cluster if FIPS mode is enabled.

All nodes in a cluster must be either in FIPS or non-FIPS mode. The ClearPass Policy Manager nodes in FIPS mode cannot be connected to the cluster whose nodes are in the non-FIPS mode.

The legacy authentication method such as EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -MD5 and MD5 digest algorithm are not supported in FIPS mode. You cannot import the certificates that are created with the MD5 authentication type to the Certificates Trust List (Administration > Certificates > Certificate Trust List) page.

The server reboots when you enable FIPS mode. You need to log in again to the Administration interface.

You can view the status of FIPS mode in the status bar. The following figure displays the Status bar with the status of FIPS mode:

Figure 4  FIPS Status

You can also view the status of the FIPS mode using the CLI commands. For more information, see Show Commands.